VPN penetrating the firewall controls.

Effective Firewall configuration

For most organisations an effective firewall policy or configuration is critical, this is typically still the edge of network control point for most organisations, responsible for outbound traffic management, NAT, Routing, and inbound traffic management for any Internet facing services in the organisation.

Most modern Next Generation Firewalls (NGFWs) link to the companies directory, to facilitate user and group based controls, classify traffic into applications (although this is not perfect and weakness often exploited by commercial VPN’s and privacy applications), classify web traffic into applications and categories, and also inspect both outbound and inbound traffic for exploits, virus’s, malware etc.
There are often other dimensions to policies, for example they can include time based elements. together even the smallest organisations can end up with a complex policy.

Maintaining this configuration overtime is often challenging, as users experience issues, management make decisions on who can access what and when, resulting in rushed changes to firewall policies coupled with technology or configuration changes elsewhere in the network can also impact the efficacy of the firewall policy, for example group naming or structure in Active Directory could be modified, not taking into account some rules in the firewall may be reliant on those elements for policy enforcement, often rendering rules ineffective and allowing unwanted traffic and applications.

A lack of change control, silo’d IT management behaviours and a lack of policy maker understanding of the basic concepts of how policies are implemented within the infused world all contribute to these issues.

There are other safeguarding issues that organisations need to consider, as the technology is often not designed to meet these requirements directly.
Some examples are:

  • Firewall web traffic classifications do not align with safeguarding categories.
  • Firewall web traffic classifications may not include some important safeguarding categories at all.
  • Traffic may be classified as a specific social media application, but further classification of user controlled content, which may be harmful is not possible.
  • VPN’s often have multiple methods of obfuscating traffic, so that an NGFW will classify it as social media or news, ultimately providing an unregulated Internet experience for the end user of the VPN.
  • Decryption of web traffic is problematic and while it can improve visibility, it is often incomplete, and can still be subverted by some privacy applications and VPN’s
  • Firewall protocol validation is often not robust, inspection s often stopped after a specific amount of traffic for performance reasons, again allowing applications to subvert firewall policy restrictions.

Many organisations do not have the time or skills to invest in firewall log analysis to detect these problems, and users seldom report over access issues and ineffective blocking, this is particularly true in schools and colleges. Often logs are only investigated once there has been an incident.

Our products:

  • We provide dynamic lists of IP address and domain data for deployment on firewalls, DNS servers and other infrastructure to block access to commercial VPN’s.
  • We provide dynamic lists of IP address data to identify the source IP addresses of commercial VPN providers.
  • We provide dynamic lists of data to detect and block other applications and services, block TOR, and proxy services.
  • We process firewall and other logs to detect commercial VPN, Tor, Proxy and other anomalous use.
  • We provide information to assist organisations adopt and implement clear policies with respect to blocking undesirable applications and technologies and assist their infrastructure in being more effective with the application of policy rules and data services.
  • We provide consulting services to assist organisations improve their controls, policy enforcement effectiveness, processes and procedures.
  • We provide customer firewall log analysis to identify problems with policy control, for example:- missing user attribution, misclassification of applications, abuse of protocols by VPN’s and privacy applications.